https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238976#M160371 <HTML><HEAD></HEAD><BODY><P>Agree with Mohit,</P><P></P><P>Kindly review the attached.</P></BODY></HTML> Mon, 20 May 2013 11:38:21 GMT manjeets 2013-05-20T11:38:21Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238970#M160313 <P>We have recently deployed a VeriSign certificate on ISE for both HTTPS and EAP, it uses a corporate CA to generate and push out user certs. It seems to work on all devices but Android.</P><P></P><P>The Android device successfully completes onboarding process, but when it tries to connect using EAP-TLS, it fails and the following error shows on the ISE:</P><P></P><P>"Authentication failed: 12520 EAP-TLS filed SSL/TLS handshake because the client rejectd the ISE local-certificate"</P><P></P><P>It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices. I can't understand why would the client not trust validate the VeriSign certificate.</P><P></P><P></P><P>Has anyone seen this before? Does the client need a corporate root certificate chain to trust the user certificate it has been privisoned with? Could that be the problem?</P><P></P><P>The ISE is running v1.1.3 patch 1</P> Mon, 11 Mar 2019 03:24:02 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238970#M160313 zmainedsnz 2019-03-11T03:24:02Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238971#M160320 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;">Hi </SPAN></P><P></P><P><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;">The error message means:</SPAN></P><P></P><P><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;">This is an indication that the client does not have or does not trust the Cisco ISE certificates. </SPAN></P><P></P><PRE><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; For both the client/server certs, If&nbsp; there are multiple levels&nbsp; in the cert chain (Intermediate certs) and if so, you need to make sure that intermediate certs been installed in ISE and in the client machine as well.</SPAN><BR /><BR /><BR /><SPAN style="font-family: arial black,avant garde; font-size: 12pt; color: #333333;"> - Could you provide me the model and make of the supplicant, you&nbsp; have been facing issue with? Is it Android <STRONG> 4.1.x</STRONG>. Also is it happening with justone client or with all of the clients?</SPAN><BR /><BR /><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;"><BR /><BR /></SPAN><PRE><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;">I would strongly suggest you to install all the chain certs in both ISE and CLIENT ,test it and let me know if it helped.</SPAN></PRE> <BR /><BR /><SPAN style="font-family: arial black,avant garde; color: #333333; font-size: 12pt;"><BR /><BR />Regards<BR />Minakshi (Do rate the helpful posts <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN> )<BR /><BR /> <BR /></SPAN></PRE></BODY></HTML> Tue, 07 May 2013 00:57:50 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238971#M160320 minkumar 2013-05-07T00:57:50Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238972#M160327 <HTML><HEAD></HEAD><BODY><P>Thanks. Do we know which side has the issue?</P><P></P><P>As we migrated from a full internal CA configuration and the ISE has all the trusted root certs of internal CAs. I am drawing the conclusion that it is the client side rejecting the ISE cert. But it has been verified the VeriSign Cert did get pushed out and I thought even nothing got pushed out, VeriSign cert would still work due to its wide support?</P><P></P><P>In addition, the fact that it works on iOS makes me think it is an Android specific issue. Will get back to do more checks along the chain. Is there a way to push out the internal trust chain together with the VeriSign trust chain?</P><P></P><P>Thanks for your help.</P></BODY></HTML> Tue, 07 May 2013 01:21:53 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238972#M160327 zmainedsnz 2013-05-07T01:21:53Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238973#M160336 <HTML><HEAD></HEAD><BODY><P>Error states the client couldn't trust the policy service node certificate. Since it's working for other supplicant's and just not with android, we need to look down first at supplicant side.</P><P></P><P>As per the error, we need to ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant. You wrote:</P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>It has been verified that VeriSign's root certificate has been pushed out and installed on the Android devices. </P></PRE><P>Let's set the runtime-aaa and runtime-config logs at debug level under administration || logging || debug log configuration --- Save it.</P><P></P><P>Reproduce the issue from the android supplicant.</P><P></P><P>Operation || troubleshoot || download logs || tick only</P><P>Include debug logs</P><P>Include monitoring and reporting logs</P><P>Include most recent file = 1</P><P>Add the encryption key</P><P>Generate the bundle.</P><P></P><P>Jatin Katyal <BR /> <BR /> <BR />- Do rate helpful posts -</P></BODY></HTML> Tue, 07 May 2013 01:28:40 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238973#M160336 Jatin Katyal 2013-05-07T01:28:40Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238974#M160348 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: arial black,avant garde; font-size: 12pt;">Hi </SPAN></P><P></P><P><SPAN style="font-family: arial black,avant garde; font-size: 12pt;">&nbsp; Did you install the whole chain on the client as well? Coz the issue looks like to be on the client side, also, if you could give me the android version as well which is causing issue? </SPAN></P><P></P><P><SPAN style="font-family: arial black,avant garde; font-size: 12pt;">Do test the authentication after installing the chain certificates on the client and see if that resolves the issue.<BR /></SPAN></P><P></P><P><SPAN style="font-family: arial black,avant garde; font-size: 12pt;">Regards</SPAN></P><P><SPAN style="font-family: arial black,avant garde; font-size: 12pt;">Minakshi (Do rate the helpful posts <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN>)</SPAN></P></BODY></HTML> Tue, 07 May 2013 20:10:59 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238974#M160348 minkumar 2013-05-07T20:10:59Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238975#M160359 <HTML><HEAD></HEAD><BODY><P>Please check the android OS version you are using, and refer following. Afterwards take the action accordingly.</P><P><IMG /></P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <IMG src="http://supportforums.cisco.com/sites/default/files/legacy/0/4/8/138840-Android.JPG" class="jive-image" /></P></BODY></HTML> Wed, 08 May 2013 11:50:00 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238975#M160359 mojuneja 2013-05-08T11:50:00Z https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238976#M160371 <HTML><HEAD></HEAD><BODY><P>Agree with Mohit,</P><P></P><P>Kindly review the attached.</P></BODY></HTML> Mon, 20 May 2013 11:38:21 GMT https://community.cisco.com/t5/network-access-control/android-rejecting-ise-s-publicly-signed-certificate/m-p/2238976#M160371 manjeets 2013-05-20T11:38:21Z